Re: [pydotorg-www] [Webmaster] Fwd: [PSRT] XSS DOM on python.org

2020-01-10 Thread Wes Turner
Is this a variable in a template whose value is controlled by (always untrusted) user-supplied input? Maybe I've misread the vuln report? Doesn't this apply to any website? I.e. a person can edit the HTML of any page with developer tools and add code wherever. AFAIU, Users can XSS themselves with

Re: [pydotorg-www] [Webmaster] Fwd: [PSRT] XSS DOM on python.org

2020-01-10 Thread Steve Holden
Hey Victor, I'm sending this reply to pydotorg-www@, since it is they who handle updating the web site. webmaster@ is a common destination for such queries, but all we can do is what I've just done in most cases. Kind regards, Steve Holden On Fri, Jan 10, 2020 at 5:03 PM Victor Stinner wrote: